534500x80000000000000002701268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.979{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002701267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.963{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002701266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002701264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002701263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002701262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002701257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002701256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.963{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msiMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 10341000x80000000000000002700875Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}39724500C:\Windows\System32\MsiExec.exe{7CF983DC-9838-62AC-636B-000000006202}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700874Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.710{7CF983DC-9838-62AC-636B-000000006202}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 7C173E38E1EF41FEEA4D5D00A0801E5EWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700872Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700871Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.698{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700859Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700855Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700854Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.682{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700853Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700851Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700850Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700849Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-EE56-62A8-1500-000000006202}10482524C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700848Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700847Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700846Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700845Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700844Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700843Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700842Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700841Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}39721608C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002700840Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700839Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700838Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700837Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700836Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700835Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700834Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700833Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700832Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.666{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700831Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700830Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700829Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700828Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700827Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700826Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700825Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700824Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700823Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700822Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700821Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700820Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700819Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700818Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700817Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700816Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700815Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700814Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700813Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700812Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700811Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700810Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700809Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.651{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700808Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700807Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700806Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700805Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700804Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-EE55-62A8-0500-000000006202}396412C:\Windows\system32\csrss.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700803Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.635{7CF983DC-981D-62AC-1A6B-000000006202}48403724C:\Windows\system32\msiexec.exe{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700802Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.648{7CF983DC-9838-62AC-626B-000000006202}3972C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 7C173E38E1EF41FEEA4D5D00A0801E5EC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002700801Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002700800Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002700799Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002700798Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002700797Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700796Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002700795Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840892C:\Windows\system32\msiexec.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700794Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700793Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.619{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700792Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002700791Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msi2022-06-13 14:04:24.0002022-06-17 15:05:28.604NT AUTHORITY\SYSTEM 10341000x80000000000000002700790Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002700789Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002700788Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msi2022-06-17 15:05:28.604NT AUTHORITY\SYSTEM 23542300x80000000000000002700787Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002700786Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514b.msi2022-06-17 15:05:28.604NT AUTHORITY\SYSTEM 10341000x80000000000000002700784Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700783Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700782Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700781Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700780Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700779Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700778Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700777Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700776Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700775Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700774Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700773Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700772Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700771Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700770Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700769Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700768Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700767Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700766Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700765Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700764Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.604{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700763Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700761Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700760Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700759Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700758Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700757Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700756Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700755Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700754Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700753Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700752Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700751Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700750Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002700748Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400\wkssvcc:\temp\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700747Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700746Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700745Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700744Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700743Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700742Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-1500-000000006202}10482524C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700741Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700740Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700739Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.588{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700738Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700737Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700736Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700735Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700734Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700733Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700732Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700731Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700730Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700729Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700728Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700727Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700726Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700725Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700724Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700723Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700722Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700721Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700720Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700719Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700718Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700717Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.573{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700716Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700715Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700714Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700713Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700712Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700711Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700710Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700709Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700708Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700707Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700706Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exeC:\Temp\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700704Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700703Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.557{7CF983DC-9838-62AC-5F6B-000000006202}4764372C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9838-62AC-616B-000000006202}4400c:\temp\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700702Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.565{7CF983DC-9838-62AC-616B-000000006202}4400C:\Temp\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9838-62AC-5F6B-000000006202}4764C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002700667Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.545{7CF983DC-9838-62AC-606B-000000006202}4088C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9838-62AC-5F6B-000000006202}4764C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002700660Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:28.492{7CF983DC-9838-62AC-5F6B-000000006202}4764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\temp\msiexec.exe /q /i "C:\AtomicRedTeam\atomics\T1218.007\src\T1218.007_JScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 354300x80000000000000002700562Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.816{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15-64430-false185.199.110.133-443- 22542200x80000000000000002700557Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.811{7CF983DC-981D-62AC-1A6B-000000006202}4840raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEM 22542200x80000000000000002700556Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.766{7CF983DC-981D-62AC-1A6B-000000006202}4840github.com0::ffff:192.30.255.112;C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEM 354300x80000000000000002700555Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:10.771{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15-64429-false192.30.255.112-443- 534500x80000000000000002700541Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.959{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 534500x80000000000000002700540Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.959{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700539Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700538Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002700537Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002700536Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002700535Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700534Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700533Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700532Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700531Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700530Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002700529Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.959{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI62FC.tmpMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 10341000x80000000000000002700152Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}10281888C:\Windows\System32\MsiExec.exe{7CF983DC-9829-62AC-5B6B-000000006202}3084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700151Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.722{7CF983DC-9829-62AC-5B6B-000000006202}3084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5A1A6FD002EAB33CF0BA30CBB2A9EC06WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700150Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700148Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002700147Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700146Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700145Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700144Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700143Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700142Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700141Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700140Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700139Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700138Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700137Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.709{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700134Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700133Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700132Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700131Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700130Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700129Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700128Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700127Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700126Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002700124Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700123Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700122Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700121Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.694{7CF983DC-9829-62AC-5A6B-000000006202}10282136C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002700118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700107Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700103Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.678{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700102Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700101Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700100Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700099Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700098Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700097Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700096Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700088Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700086Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700085Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700084Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700083Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-EE55-62A8-0500-000000006202}396412C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002700081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.662{7CF983DC-981D-62AC-1A6B-000000006202}48402240C:\Windows\system32\msiexec.exe{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002700080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.669{7CF983DC-9829-62AC-5A6B-000000006202}1028C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5A1A6FD002EAB33CF0BA30CBB2A9EC06C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002700079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002700078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002700077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002700076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002700075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002700074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:13.647{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002700073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}48403512C:\Windows\system32\msiexec.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002700072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002700070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000002700069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002700068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002700067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.631{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI62FC.tmp2022-06-17 15:05:13.631NT AUTHORITY\SYSTEM 10341000x80000000000000002699966Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699965Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699964Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699963Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699962Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699961Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699960Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699959Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699958Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699957Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699956Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699955Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699954Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699953Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699952Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699951Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699950Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699949Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699948Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699947Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699946Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699945Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699944Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699943Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699942Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699941Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699940Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.397{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699939Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699938Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699937Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699936Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699935Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699933Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699932Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699931Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 18141800x80000000000000002699928Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-ConnectPipe2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736\wkssvcc:\windows\system32\msiexec.exeWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699926Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699925Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699924Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699923Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699922Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699919Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699918Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699917Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699916Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699915Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699914Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699913Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.381{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699912Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699911Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699910Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699909Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699908Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699907Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699906Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699905Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699904Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699896Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699889Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699887Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699884Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699882Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699877Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699876Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699874Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.366{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699872Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699871Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.350{7CF983DC-9829-62AC-576B-000000006202}6281956C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9829-62AC-596B-000000006202}3736c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.359{7CF983DC-9829-62AC-596B-000000006202}3736C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9829-62AC-576B-000000006202}628C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699746Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.337{7CF983DC-9829-62AC-586B-000000006202}3856C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9829-62AC-576B-000000006202}628C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699728Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.303{7CF983DC-9829-62AC-576B-000000006202}628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /q /i "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002699457Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.256{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699452Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916332c:\windows\system32\msiexec.exe{7CF983DC-9818-62AC-156B-000000006202}2584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll+1321|c:\windows\system32\msiexec.exe+42e0|c:\windows\system32\msiexec.exe+62bd|c:\windows\system32\msiexec.exe+7166|c:\windows\system32\msiexec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699451Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.255{7CF983DC-9829-62AC-556B-000000006202}2584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host DllUnregisterServer export executed me; exitC:\AtomicRedTeam\atomics\T1218.007\src\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exec:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"WIN-HOST-MHAAG-\Administrator 734700x80000000000000002699450Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699449Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699448Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699447Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699446Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699445Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699444Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699443Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699442Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699441Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699440Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699439Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699438Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699437Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699436Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699435Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699434Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699432Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699429Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699427Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699426Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.241{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699424Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699423Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699421Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699420Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699417Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699416Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699415Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699414Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699411Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699410Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.225{7CF983DC-9829-62AC-526B-000000006202}6963612C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9829-62AC-546B-000000006202}3916c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699409Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.233{7CF983DC-9829-62AC-546B-000000006202}3916C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9829-62AC-526B-000000006202}696C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699349Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.213{7CF983DC-9829-62AC-536B-000000006202}3480C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9829-62AC-526B-000000006202}696C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699339Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.180{7CF983DC-9829-62AC-526B-000000006202}696C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /z "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x80000000000000002699087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-9829-62AC-4F6B-000000006202}16083972c:\windows\system32\msiexec.exe{7CF983DC-9826-62AC-306B-000000006202}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll+120b|c:\windows\system32\msiexec.exe+42e0|c:\windows\system32\msiexec.exe+62bd|c:\windows\system32\msiexec.exe+7166|c:\windows\system32\msiexec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.133{7CF983DC-9829-62AC-506B-000000006202}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host DllRegisterServer export executed me; exitC:\AtomicRedTeam\atomics\T1218.007\src\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exec:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"WIN-HOST-MHAAG-\Administrator 734700x80000000000000002699080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.131{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699065Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699064Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699063Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699062Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699061Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699060Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699059Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699058Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699057Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699056Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699055Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699054Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.116{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699053Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699052Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002699051Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699049Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-EE97-62A8-7E00-000000006202}18083264C:\Windows\system32\csrss.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002699048Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.100{7CF983DC-9829-62AC-4D6B-000000006202}33002248C:\Windows\SYSTEM32\cmd.exe{7CF983DC-9829-62AC-4F6B-000000006202}1608c:\windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002699047Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.113{7CF983DC-9829-62AC-4F6B-000000006202}1608C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-9829-62AC-4D6B-000000006202}3300C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699012Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.094{7CF983DC-9829-62AC-4E6B-000000006202}4500C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{7CF983DC-9829-62AC-4D6B-000000006202}3300C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""WIN-HOST-MHAAG-\Administrator 154100x80000000000000002699005Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:13.063{7CF983DC-9829-62AC-4D6B-000000006202}3300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\msiexec.exe /y "C:\AtomicRedTeam\atomics\T1218.007\src\MSIRunner.dll""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{7CF983DC-EEA1-62A8-9500-000000006202}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 12241200x80000000000000002698985Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698984Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002698983Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002698982Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002698981Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698980Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698979Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698978Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698977Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698976Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002698975Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.975{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msiMD5=3B5B5DC790399E957405F1ACF5E5C9CE,SHA256=656E2F62121A69A972DBFFBCC92E4440351467B0650148BE14226899DAA1B698falsetrue 23542300x80000000000000002698969Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.959{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI601C.tmpMD5=712BD86DBDB06FD26F245F24BEE2F999,SHA256=DA97C4B389579841D5627E0C06FF7B8452121DF34BA5453819F74F071157CC9Etruetrue 10341000x80000000000000002698873Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-981D-62AC-1A6B-000000006202}48404868C:\Windows\system32\msiexec.exe{7CF983DC-9828-62AC-4B6B-000000006202}4016C:\Windows\Installer\MSI601C.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ec6fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002698872Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.902{7CF983DC-9828-62AC-4B6B-000000006202}4016C:\Windows\Installer\MSI601C.tmp0.0.0.0 --PrintArgs.exe"C:\Windows\Installer\MSI601C.tmp" "Hello, Atomic Red Team from an EXE!"C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=712BD86DBDB06FD26F245F24BEE2F999,SHA256=DA97C4B389579841D5627E0C06FF7B8452121DF34BA5453819F74F071157CC9E{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 10341000x80000000000000002698871Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002698870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002698869Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.897{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI601C.tmp2022-06-17 15:05:12.897NT AUTHORITY\SYSTEM 13241300x80000000000000002698868Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002698867Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002698866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002698865Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002698864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002698862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}48402548C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002698861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002698860Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002698859Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002698858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msi2022-06-13 14:04:24.0002022-06-17 15:05:12.866NT AUTHORITY\SYSTEM 10341000x80000000000000002698857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002698856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002698855Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msi2022-06-17 15:05:12.866NT AUTHORITY\SYSTEM 23542300x80000000000000002698854Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002698853Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.866{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f514a.msi2022-06-17 15:05:12.866NT AUTHORITY\SYSTEM 534500x80000000000000002698125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.491{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002698119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002698117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002698116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002698115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002698106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.491{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002698105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.475{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msiMD5=B4DFDB4509DCB4B46CD5C654612D88BB,SHA256=16E90C61C9F253F5AB98100BA113E4E2970C3AF603F036ED12D6AE121C57B678falsetrue 23542300x80000000000000002698053Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5E47.tmpMD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDtruetrue 10341000x80000000000000002698047Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-9828-62AC-466B-000000006202}25364024C:\Windows\System32\MsiExec.exe{7CF983DC-9828-62AC-476B-000000006202}3424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Installer\MSI5E47.tmp+10ef|C:\Windows\System32\msi.dll+ea965|C:\Windows\System32\msi.dll+afe66|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002698046Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.466{7CF983DC-9828-62AC-476B-000000006202}3424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -nop -Command Write-Host CustomAction export executed me; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 4F5D5687D3E790ACEA8C2DFA6BC0C5ACWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698045Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\Installer\MSI5E47.tmp-----MD5=52E020CF3FCDD1357E769B95FB36072F,SHA256=6F2F3FE71A9673C8D9AD17517D51595182622CBD12FEEAEA93E313267CBE29BDfalse-UnavailableWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698044Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.459{7CF983DC-9828-62AC-466B-000000006202}25363512C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002698043Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698042Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698041Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698040Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698039Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698038Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698037Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698036Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698035Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698034Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698033Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698032Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698031Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698030Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698029Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698028Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698027Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698026Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.444{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698025Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698024Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698023Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698022Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698021Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698020Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698019Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698018Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698017Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698016Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698015Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698014Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698013Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698012Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE97-62A8-7E00-000000006202}18083200C:\Windows\system32\csrss.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698011Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698010Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698009Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002698008Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698007Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002698006Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-981D-62AC-1A6B-000000006202}48403860C:\Windows\system32\msiexec.exe{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002698005Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.435{7CF983DC-9828-62AC-466B-000000006202}2536C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 4F5D5687D3E790ACEA8C2DFA6BC0C5ACC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 10341000x80000000000000002698004Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002698003Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002698002Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.428{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5E47.tmp2022-06-17 15:05:12.428NT AUTHORITY\SYSTEM 13241300x80000000000000002698001Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002698000Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002697999Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002697998Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002697997Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697996Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.412{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002697995Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}48403192C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002697994Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697993Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697992Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002697991Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msi2022-06-13 14:04:24.0002022-06-17 15:05:12.397NT AUTHORITY\SYSTEM 10341000x80000000000000002697990Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002697989Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-EE56-62A8-0B00-000000006202}6121816C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002697988Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msi2022-06-17 15:05:12.397NT AUTHORITY\SYSTEM 23542300x80000000000000002697987Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002697986Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.397{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5149.msi2022-06-17 15:05:12.397NT AUTHORITY\SYSTEM 534500x80000000000000002697569Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.037{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697568Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697567Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002697566Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002697565Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002697564Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697563Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697562Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697561Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697560Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697559Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002697558Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:12.037{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msiMD5=AEA42482EBB78BD94F063AD4ED15E428,SHA256=8561D6CEEDEB83C16F3A23CC62E6CDB924B2157D10880A90E5F211B760BF4988falsetrue 10341000x80000000000000002697177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.772{7CF983DC-9827-62AC-416B-000000006202}24243576C:\Windows\System32\MsiExec.exe{7CF983DC-9827-62AC-426B-000000006202}864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002697176Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.773{7CF983DC-9827-62AC-426B-000000006202}864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host VBScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5625188F216DB3876EA773B268668ECDWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697175Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697174Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697173Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002697172Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697171Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697170Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697169Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697168Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697167Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697166Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697165Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697164Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697163Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697162Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697161Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697160Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697159Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.756{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697158Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697157Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697156Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697155Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697154Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697153Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697152Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-EE56-62A8-1500-000000006202}10482344C:\Windows\system32\svchost.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697151Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-EE56-62A8-1500-000000006202}10481096C:\Windows\system32\svchost.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697150Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002697149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows Script\SettingsWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697148Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697147Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\vbscript.dll5.812.10240.16384Microsoft ® VBScriptMicrosoft ® VBScriptMicrosoft Corporationvbscript.dllMD5=B9598FFF335D808F6E4B3B19F0E1E0F3,SHA256=79B0FF39BC2E399748CE6FD8683A7B635B7D245B71F9063C2A93D3100B4F97D6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697146Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697145Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697144Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424136C:\Windows\System32\MsiExec.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\MsiExec.exe+6bca|C:\Windows\System32\MsiExec.exe+7166|C:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000002697143Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697142Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697141Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697140Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\windows.storage.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=BB44598D2B17603D605EDE11A148A21B,SHA256=C45410A330C2EC62581E18FD91F8CDB9873B8F64E5C5ACC79DB4970238077177trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697139Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697138Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\shell32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B47A76105A5F59EDA244105A6D5D51D1,SHA256=012675AF0811AA0787D3731FED4D186F6D1B6279F27B2BF360AB49CA457F4E25trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697137Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.741{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msi.dll5.0.14393.5127Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=F8E11A5BD7A918A13BA3C7924B5AD360,SHA256=98B5EBA9E9A0DD04885D594851A6CACF79304F7524959F502F5DA034B2C6BE60trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-EE56-62A8-0C00-000000006202}708752C:\Windows\system32\svchost.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697134Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697133Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697132Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697131Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697130Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697129Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697128Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697127Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697126Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\winspool.drv10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=592EDD495F3F412C7E917CABE9B2A15E,SHA256=FC5D6EA6C14E6AA94ADE04D6D0C3AAAB8942864B118DE8219A712133DEF50550trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DDtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697124Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697123Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=920CEBB474555470F1FFB129AD6E19D8,SHA256=DE1C8EA3EF80E7A0E42664559AF3B29FE89E29189382AFC0B438D9C21E2D909AtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697122Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697121Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\combase.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=148F67CE7413EB2D4D777030DFCCD28B,SHA256=5CBD4E213A26B9D8BE56677946D294F65FC615D710F8E07909B643D437819161trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697119Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697118Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697117Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697115Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697114Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.725{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\AppPatch\apppatch64\AcLayers.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Windows Compatibility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACLAYERS.DLLMD5=18D8E2D6C17577D91A40C4A5AD9F6E37,SHA256=9E9CF9446EDA1F064E996F2022DBD3B3C7D6778574EA790B2B0412EA41C5F5F0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697112Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-EE97-62A8-7E00-000000006202}18083404C:\Windows\system32\csrss.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697111Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697110Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697109Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002697108Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697107Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-EE55-62A8-0500-000000006202}396512C:\Windows\system32\csrss.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002697106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.709{7CF983DC-981D-62AC-1A6B-000000006202}48403916C:\Windows\system32\msiexec.exe{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Windows\system32\Msi.dll+ba6c8|C:\Windows\system32\Msi.dll+16e294|C:\Windows\system32\Msi.dll+16e90c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 154100x80000000000000002697105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.720{7CF983DC-9827-62AC-416B-000000006202}2424C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\System32\MsiExec.exe -Embedding 5625188F216DB3876EA773B268668ECDC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /VNT AUTHORITY\SYSTEM 13241300x80000000000000002697104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceDWORD (0x00000001)NT AUTHORITY\SYSTEM 12241200x80000000000000002697103Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 13241300x80000000000000002697102Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000002697101Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002697100Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002697099Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 10341000x80000000000000002697098Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}48401952C:\Windows\system32\msiexec.exe{7CF983DC-9826-62AC-3B6B-000000006202}4244C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19fdbd|C:\Windows\system32\Msi.dll+2ea9e|C:\Windows\system32\Msi.dll+474f5|C:\Windows\system32\Msi.dll+10b3b5|C:\Windows\system32\Msi.dll+10a5d6|C:\Windows\system32\Msi.dll+f4b9f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000002697097Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.694{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll4.8.3761.0 built by: NET48REL1Assembly managerMicrosoft® .NET FrameworkMicrosoft Corporationfusion.dllMD5=2A73BA7551F7B631AA484CAABD372F06,SHA256=F876EEEC603221DCDD098D1E2A1118012254E9C67851E749DF61D573EA949F55trueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697096Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValidNT AUTHORITY\SYSTEM 734700x80000000000000002697095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\System32\msiexec.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 254200x80000000000000002697094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msi2022-06-13 14:04:24.0002022-06-17 15:05:11.678NT AUTHORITY\SYSTEM 10341000x80000000000000002697093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000002697092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 11241100x80000000000000002697091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msi2022-06-17 15:05:11.678NT AUTHORITY\SYSTEM 23542300x80000000000000002697090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x80000000000000002697089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.678{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5148.msi2022-06-17 15:05:11.678NT AUTHORITY\SYSTEM 534500x80000000000000002696673Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.319{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696672Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696671Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\OwnerNT AUTHORITY\SYSTEM 12241200x80000000000000002696670Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHashNT AUTHORITY\SYSTEM 12241200x80000000000000002696669Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-DeleteValue2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000\SequenceNT AUTHORITY\SYSTEM 12241200x80000000000000002696668Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696667Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696666Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696665Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696664Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 12241200x80000000000000002696663Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840C:\Windows\system32\msiexec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\RestartManager\Session0000NT AUTHORITY\SYSTEM 23542300x80000000000000002696662Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.303{7CF983DC-981D-62AC-1A6B-000000006202}4840NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\e4f5147.msiMD5=47B535A9C2480FAD4788850FF2AE76D2,SHA256=3293A5CB821F391F6B0E1328D23B15047C4A43EFBFEEF5FEA057DBACDBD68D85falsetrue 10341000x80000000000000002696277Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}31883088C:\Windows\System32\MsiExec.exe{7CF983DC-9827-62AC-3D6B-000000006202}2588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x80000000000000002696276Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.052{7CF983DC-9827-62AC-3D6B-000000006202}2588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host JScript executed me!; exitC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{7CF983DC-EE99-62A8-FF22-070000000000}0x722ff2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\MsiExec.exe -Embedding C2200B2A80695614509AECEE4CBDCC3CWIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696275Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696274Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696273Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 13241300x80000000000000002696272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-SetValue2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)WIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-EE56-62A8-0B00-000000006202}6125036C:\Windows\system32\lsass.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696269Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKU\S-1-5-21-3078578304-2316546942-2249307483-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1ECtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\iertutil.dll11.00.14393.5006 (rs1_release.220301-1704)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=153A3C6C45E23363BC842795FD49E7A3,SHA256=06DFA7248890579938106FF7527BB8FD0091A24D1C1667CB6583A4D239885141trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\urlmon.dll11.00.14393.5006 (rs1_release.220301-1704)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=72DA72C24A0AD3C49AC956DC083EEDF3,SHA256=2DB817631EC24840FDED7C584BC08F03D3549D93552C8E20005E18BA5E81CA12trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.037{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManagerWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersWIN-HOST-MHAAG-\Administrator 12241200x80000000000000002696260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-CreateKey2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696255Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=6E948305B041BE52E45E9E942C78A3F4,SHA256=93C4A201E3627E617C478054BAB472553CF48B84C32DE2F0A316F30F4A61A782trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696254Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x80000000000000002696253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\msiexec.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=012C02BB5DD8EC0FD4AC2688D8D4D0CF,SHA256=B73B3C361F6B07960B092485CE8C96A4E68F741D718C6E847FF37C5BA5227C18trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x80000000000000002696252Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-979-2022-06-17 15:05:11.022{7CF983DC-EE56-62A8-1500-000000006202}10483980C:\Windows\system32\svchost.exe{7CF983DC-9826-62AC-3C6B-000000006202}3188C:\Windows\System32\MsiExec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x8000000000000000